This lab is the first one in a series of labs. You may use the steps in the Cisco Enterprise Networks Hardware Sandbox environment, or equally, you might utilize them as part of a Proof of Concept setup at a customer's lab. These procedures may also help form part of a deployment or implementation. Use them to ensure that all the necessary steps are complete before onboarding any devices within DNA Center.
We will be utilizing the lab in this manner:
As you may recall, in the informational sections of this repository, we described various methods of discovery for a device and the preliminary things required for proper zero-touch provisioning. This lab will ensure a successful connection to DNA Center by helping to deploy the initial concepts.
To set up the lab, please log into the console connection of the 4331 by clicking on dropdown button under the icon in DCLOUD, and selecting 'Console'. New tab will open, click 'Connect' - you should now be connected to the console of the router. To obtain enable password, navigate back to topology diagram in DCLOUD and click on any of Windows Clients or Devices and copy-paste the password into Hardware Console tab after issuing enable CLI. Once you are in enable mode on 4331 hardware console, issue commands:
Warning use commands against the LAB Environment.
SJC
!
conf t
!
!disable port 0/0/1 for the templating lab
int gi 0/0/1
shutdown
end
!
wr
!
For PnP processes to work, we intend to have a management interface on the device. In this lab, we will set up a VLAN interface for both management and connectivity. You don't have to do it this way; we are just giving a relatively uncomplicated example, and you can alter this to suit your needs. As the device connects to the front-facing ports, we have to rely on the default configuration.
As you may recall, a factory default configuration is using VLAN 1 as no other VLAN exists, and by default, it accepts DHCP addresses. We can use this method in the PnP process. However, the management VLAN may be different, and so may the native VLAN structure of our environment. To that end, we must use the pnp startup-vlan command, which allows the device to use varying VLANs in PnP and should be set up and configured on the upstream switch.
Of the discovery methods DHCP is the easiest to implement as no changes are required with the Self Signed Certificate (SSC) on DNA Center as it already includes the IP address by default.
If you are deploying PnP using DNS discovery or you are building a cluster then you will need to go through the process of acquiring a certificate with Subject Alternative Names to include the DNS and IP entries to allow for the following:
- All Node IP Addresses
- All VIP Addresses for Cluster
- All DNS Host entries for Nodes
- VIP DNS Host entry for Cluster
- pnpserver Host or CNAME entries
To build a certificate in dCLOUD follow these steps
To Build a certificate for use in DNA Center for PnP, please follow this outline of steps. Each step can take some time so plan accordingly.
- On the Active Directory Server add the roles for the Certificate Authority to allow WEB enrollment
- Add the required DNS entries for DNA Center as per the sections below
- On DNA Center in CLI create a CSR using openssl
- Enroll DNA Center via the CSR on the Windows CA
- Upload the Certificate to DNA Center
To utilize DNS Entry for Discovery purposes Certificates will need to be rebuilt with Subject Alternative Names. Please utilize the process documented in the following DNA Center Certificates for information on that process.
Follow this guide for more information on the finer details.
As depicted in the following image, the 9300 will serve as the upstream neighbor for this exercise and the environment's distribution switch. The Catalyst 9300 will act as the target switch, which we will deploy via PnP and Day 0 and N templates.
For the lab, we will utilize VLAN 5 as the management VLAN. Connect to switch c9300-2 and paste the following configuration:
config t
!
vlan 5
name "mgntvlan"
!
int vlan 5
ip address 192.168.5.1 255.255.255.0
ip ospf 1 area 0
no shutdown
!
pnp startup-vlan 5
end
!
wr
!
The pnp startup-vlan 5 command will program the target switches port connected with a trunk and automatically add the vlan and SVI to the target switch making that vlan ready to accept a DHCP address. The feature is available on switches running IOS-XE 16.6 code or greater as upstream neighbors. Older switches or upstream devices that cannot run the command should utilize VLAN 1 and then set up the correct management VLAN modified as part of the onboarding process.
We need a DHCP scope to temporarily supply the address within the management network to complete the configuration and onboarding. Configure the scope to offer IP addresses from the part of the address's range, leaving the other part of the scope for static addresses. You could also make use of reservations as DHCP servers can reserve addresses for specific MAC addresses. One benefit of this is that DNS host entries are automatically updated depending on the DHCP Server.
The DHCP scope should therefore incorporate the following minimal configuration:
- network
- default gateway
- domain - required if option 2 is used below
- name-server ip - required if option 2 or 3 is used below
- DHCP relay or helper statement - to be added to the gateway interface pointing to the DHCP server
There are many options for DHCP services. Although you have many options for DHCP, we will cover Windows and IOS configurations in this lab. Configure the DHCP scope to one of the following:
- Switch or Router
- Windows DHCP Server
- InfoBlox or other 3rd party server
During this lab setup, please choose which option you wish to use for DHCP for PnP services and follow those subsections.
Configured on an IOS device, the DHCP pool elements would be configured either on a router or switch in the network.
If we want to use the IOS DHCP configuration method, connect to switch c9300-2 and paste the following configuration:
!
conf t
!
ip dhcp excluded-address 192.168.5.1 192.168.5.1
ip dhcp pool pnp_device_pool
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
end
!
wr
!
Next, we will configure the helper address statement on the management VLAN's SVI to point to the router or switch to the DHCP configuration. Connect to switch c9300-2 and paste the following configuration:
!
conf t
!
interface Vlan 5
ip helper-address 192.168.5.1
end
!
wr
!
For a complete configuration example please see Configuring the Cisco IOS DHCP Server
If we want to use the Windows DHCP service, connect to the windows AD1 server. On the windows server, you have two options to deploy DHCP scopes the UI or PowerShell. We will deploy the scope via PowerShell. Paste the following into PowerShell to create the required DHCP scope:
Add-DhcpServerv4Scope -Name "DNAC-Templates-Lab" -StartRange 192.168.5.1 -EndRange 192.168.5.254 -SubnetMask 255.255.255.0 -LeaseDuration 6.00:00:00 -SuperScope "PnP Onboarding"
Set-DhcpServerv4OptionValue -ScopeId 192.168.5.0 -Router 192.168.5.1
Add-Dhcpserverv4ExclusionRange -ScopeId 192.168.5.0 -StartRange 192.168.5.1 -EndRange 192.168.5.1
The DHCP scope will look like this in Windows DHCP Administrative tool:
Next, we will introduce the helper address statement on the management VLAN's SVI to point to the Windows DHCP server. Connect to switch c9300-2 and paste the following configuration:
!
conf t
!
interface Vlan 5
ip helper-address 198.18.133.1
end
!
wr
!
As you may recall, for a device to discover DNA Center, the device uses a discovery method to help it find DNA Center.
The PnP components are as follows:
There are three automated methods to make that occur:
- DHCP with option 43 - requires the DHCP server to offer a PnP string via option 43
- DNS lookup
- requires the DHCP server to offer a domain suffix and a name server to resolve the pnpserver address
- requires the pnpserver entry to appear in the Subject Alternative Name of the GUI Certificate
- Cloud re-direction via https://devicehelper.cisco.com/device-helper - requires the DHCP server to offer a name server to make DNS resolutions
Please choose one of the following subsections as the discovery method.
If using the IOS DHCP Server and the desire is to use Option 43 discovery method, then paste the following configuration:
!
conf t
!
ip dhcp pool pnp_device_pool
option 43 ascii "5A1N;B2;K4;I198.18.129.100;J80"
end
!
wr
!
If using the Windows DHCP Server and the desire is to use Option 43 discovery method, then paste the following configuration into PowerShell:
Set-DhcpServerv4OptionValue -ScopeId 192.168.5.0 -OptionId 43 -Value ([System.Text.Encoding]::ASCII.GetBytes("5A1N;B2;K4;I198.18.129.100;J80"))
The DHCP scope modification will resemble the following image of the Windows DHCP Administrative tool:
If using the IOS DHCP Server and the desire is to use the DNS Lookup discovery method, then paste the following configuration:
!
conf t
!
ip dhcp pool pnp_device_pool
dns-server 198.18.133.1
domain-name dcloud.cisco.com
end
!
wr
!
Next, add the DNS entries to allow for the DNA Center to be discovered. This script will add an A host entry for the VIP address and a CNAME entry as an alias for the pnpserver record required for DNS discovery.
Add-DnsServerResourceRecordA -Name "dnac-vip" -ZoneName "dcloud.cisco.com" -AllowUpdateAny -IPv4Address "198.18.129.100" -TimeToLive 01:00:00
Add-DnsServerResourceRecordCName -Name "pnpserver" -HostNameAlias "dnac-vip.dcloud.cisco.com" -ZoneName "dcloud.cisco.com"
The DNS Zone will look like this in Windows DNS Administrative tool:
If using the Windows DHCP Server and the desire is to use the DNS Lookup discovery method, then paste the following configuration into PowerShell:
Set-DhcpServerv4OptionValue -ScopeId 192.168.5.0 -DnsServer 198.18.133.1 -DnsDomain "dcloud.cisco.com"
The DHCP scope will resemble the following image of the Windows DHCP Administrative tool:
Next, add the DNS entries to allow for the DNA Center to be discovered. This script will add an A host entry for the VIP address and a CNAME entry as an alias for the pnpserver record required for DNS discovery.
Add-DnsServerResourceRecordA -Name "dnac-vip" -ZoneName "dcloud.cisco.com" -AllowUpdateAny -IPv4Address "198.18.129.100" -TimeToLive 01:00:00
Add-DnsServerResourceRecordCName -Name "dnac" -HostNameAlias "dnac-vip.dcloud.cisco.com" -ZoneName "dcloud.cisco.com"
Add-DnsServerPrimaryZone -Name "pnp.dcloud.cisco.com" -ReplicationScope "Forest" -PassThru
#Pause required to allow Zone to be created prior to CNAME Entry
Start-Sleep -Seconds 60
Add-DnsServerResourceRecordCName -Name "pnpserver" -HostNameAlias "dnac-vip.dcloud.cisco.com" -ZoneName "pnp.dcloud.cisco.com"
The DNS Zone will look like this in Windows DNS Administrative tool:
Note: To utilize DNS Entry for Discovery purposes Certificates will need to be rebuilt with Subject Alternative Names. Please utilize the process documented in the following page for information on that process.
Typically, the Target switch is connected via a trunk to a single port or a bundle of ports as part of a port channel.
If it is a single port connection to the target switch, then use a simplified configuration; however, we will not be utilizing this method in this lab. An example provided here:
!
conf t
!
interface range gi 1/0/10
description PnP Test Environment to Cataylist 9300
switchport mode trunk
switchport trunk allowed vlan 5
end
!
wr
!
In this exercise, the port where the Target switch connects is a layer two trunk as part of a Port Channel.
!
conf t
!
interface range gi 1/0/10-11
description PnP Test Environment to Catalyst 9300
switchport mode trunk
switchport trunk native vlan 5
switchport trunk allowed vlan 5
channel-protocol lacp
channel-group 1 mode passive
!
interface Port-channel1
description PnP Test Environment to Catalyst 9300
switchport trunk native vlan 5
switchport trunk allowed vlan 5
switchport mode trunk
no port-channel standalone-disable
end
!
wr
!
If we are using a port-channel initially, you want to ensure that the port-channel can operate as a single link within the bundle and, for that reason, use passive methods for building the port-channel bundles on both the Target and Upstream Neighbor for maximum flexibility. Additionally, add the no port-channel standalone-disable command to ensure the switch does not automatically disable the port-channel if it does not come up properly.
Please use the testing for the DNS Discovery method used above.
To test the environment to ensure it's ready, we need to try a few things.
First, from a Windows host, use the nslookup command to resolve pnpserver.dcloud.cisco.com. Connect to the Windows workstation, and within the search window, search for CMD. Open the application and type the following command:
nslookup pnpserver.dcloud.cisco.com
The following output or something similar shows the resolution of the alias to the A host record entry which identifies the VIP address for the DNA Center Cluster will display.
Second, we need to ensure the DNA Center responds on the VIP, so use the ping command within the CMD application window previously opened as follows:
ping pnpserver.dcloud.cisco.com
At this point, the environment should be set up to onboard devices within VLAN 5 using the network address 192.168.5.0/24 utilizing either option 43 or ***DNS discovery ***.
When testing, you will frequently need to start again on the switch to test the whole flow. To accomplish this, paste this small script into the 9300 target switch, which will create a file on flash which you may load into the running-configuration at any time to reset the device to factory settings:
There are now two methods for this The first and simplest method is to make use of the pnp service reset
command as advised by Matthew Bishop. This command was introduced in a recent Train of XE code.
Failing that we have an EEM script which you may use iterated below.
tclsh
puts [open "flash:prep4dnac" w+] {
!
! Remove any confirmation dialogs when accessing flash
file prompt quiet
!
no event manager applet prep4dnac
event manager applet prep4dnac
event none sync yes
action a1010 syslog msg "Starting: 'prep4dnac' EEM applet."
action a1020 puts "Preparing device to be discovered by device automation - This script will reboot the device."
action b1010 cli command "enable"
action b1020 puts "Saving config to update BOOT param."
action b1030 cli command "write"
action c1010 puts "Erasing startup-config."
action c1020 cli command "wr er" pattern "confirm"
action c1030 cli command "y"
action d1010 puts "Clearing crypto keys."
action d1020 cli command "config t"
action d1030 cli command "crypto key zeroize" pattern "yes/no"
action d1040 cli command "y"
action e1010 puts "Clearing crypto PKI stuff."
action e1020 cli command "no crypto pki cert pool" pattern "yes/no"
action e1030 cli command "y"
action e1040 cli command "exit"
action f1010 puts "Deleting vlan.dat file."
action f1020 cli command "delete /force vlan.dat"
action g1010 puts "Deleting certificate files in NVRAM."
action g1020 cli command "delete /force nvram:*.cer"
action h0001 puts "Deleting PnP files"
action h0010 cli command "delete /force flash:pnp*"
action h0020 cli command "delete /force nvram:pnp*"
action i0001 puts "Reseting Stack Priority"
action i0010 cli command "switch 1 priority 1"
action z1010 puts "Device is prepared for being discovered by device automation. Rebooting."
action z1020 syslog msg "Stopping: 'prep4dnac' EEM applet."
action z1030 reload
exit
!
alias exec prep4dnac event manager run prep4dnac
!
end
}
tclquit
Additionally, for help with troubleshooting, install this helpful EEM script in the directory in the same manner as above. This will help to see which lines were sent to the switch and helps deduce where a template may be failing.
tclsh
puts [open "flash:dnacts" w+] {
!
event manager applet CLI_COMMANDS-->
event cli pattern ".*" sync no skip no
action 1 syslog msg "$_cli_msg"
!
}
tclquit
Finally, we want to test the routing, connectivity, DHCP, DNS services, and discovery mechanism. Reset the c9300-1 Target switch by pasting the following sequence into the console. We will watch the switch come up but not intercede or type anything into the console after the reboot has started.
!
copy prep4dnac running-config
!
prep4dnac
!
The Switch should reboot and display this eventually in the console which acknowledges that the 9300 has discovered the DNA Center.
Additionally, within DNA Center on the Plug and Play window, the device should show as unclaimed.
The next step will be to build the PnP Onboarding settings and template on DNA Center, which we will cover in the next lab entitled Onboarding Templates - The next lab explains in-depth and how to deploy Day 0 templates.
Feedback: If you found this repository please fill in comments and give feedback on how it could be improved.